CVE-2019-6576

Vulnerability

The vulnerability (CWE-522: Insufficiently Protected Credentials) resides in the TLS implementation of Siemens SIMATIC HMI Comfort Panels 4"–22", Comfort Outdoor Panels 7" & 15", KTP Mobile Panels (KTP400F, KTP700, KTP700F, KTP900, KTP900F), WinCC Runtime Advanced, WinCC Runtime Professional, WinCC (TIA Portal), and HMI Classic Devices (TP/MP/OP/MP Mobile Panel). All versions prior to V15.1 Update 1 are affected, except for Classic Devices where all versions are vulnerable [1]. An attacker with network access to the device's web interface can obtain a TLS session key, which is insufficiently protected.

Exploitation

An attacker must have network access to the web interface of an affected device and be able to observe TLS traffic between a legitimate user and that interface. No authentication is required, but the attack complexity is high (CVSSv3 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). The attacker first obtains the TLS session key, then uses it to decrypt the observed TLS traffic [1].

Impact

Successful exploitation compromises the confidentiality of communications between the device and a legitimate user. The attacker can decrypt all TLS-encrypted data exchanged during the session, potentially exposing sensitive information such as credentials or process data. The CVSSv3 base score is 5.9, with a high impact on confidentiality [1].

Mitigation

Siemens has released version V15.1 Update 1 which fixes the vulnerability for all affected products except the HMI Classic Devices, for which no fix is available as they are end-of-life. Users should update to V15.1 Update 1 or later. At the time of advisory publication (2019-05-14), no public exploitation was known [1].